One path we saw in a couple exploits was to trick the code for moving
frames between documents into keeping the frame alive outside of the
DOM. Having a live frame outside of the DOM caused all kinds of
madness.
The underlying problem is that it's a strange, uncommon situation that
affects many code paths. When folks write those code paths, they
don't think about the live-frame-outside-the-DOM case and that
situation doesn't get hardly any testing.
Adam
On Thu, Apr 12, 2012 at 12:41 PM, Ojan Vafai <ojan at chromium.org> wrote:
> I thought the issue here was with moving iframes across documents, not with
> keeping disconnected iframes alive. I'll ping the engineers working on this
> and see if I can get more information.
>
> On Thu, Apr 12, 2012 at 12:37 PM, Adam Barth <w3c at adambarth.com> wrote:
>>
>> We just got finished removing this feature from WebKit because it
>> caused many security and stability problems. ?It turns out that
>> there's a lot of code in browsers that can't cope with a disconnected
>> iframe being alive.
>>
>> Adam
>>
>>
>> On Thu, Apr 12, 2012 at 12:35 PM, Ojan Vafai <ojan at chromium.org> wrote:
>> > We should add a keepalive attribute to iframes that prevents iframes
>> > from
>> > being unloaded/reloaded when removed from or appended to a document.
>> > Similarly, a disconnected iframe with keepalive should load. If the
>> > keepalive attribute is removed from a disconnected iframe, then it
>> > should
>> > unload.
>> >
>> > I'm not terribly happy with the name 'keepalive', but I can't think of
>> > anything better at the moment.
>> >
>> > As iframes increasingly become the standard way of achieving certain
>> > tasks
>> > (e.g. sandboxing), it's increasingly important to be able to move them
>> > around in the DOM. Right now, to achieve this sort of keepalive
>> > behavior,
>> > you have to keep the iframe always appended to the document and position
>> > it
>> > absolutely as the document changes.
>> >
>> > Ojan
>
>